Israel rolls out ‘green passport’ for vaccinated. It’s a security disaster
" Leaky app
Another discovery they made indicates there is a possibility of an information leak. The problem lies in the process in which the app allows users to reach out to the Health Ministry via the app’s contact page.
Every time you connect to the app, an email is sent to the Health Ministry, which is standard and poses no issue. However, when a message is sent through the app’s contact page, another email is also sent out, but not to an official government mail, but rather to a private Gmail address.
This address is completely private, and it also serves a Facebook account, a Twitter account and other accounts. Moreover, that information about the email account was obtained by checking databases of user names and passwords leaked from various apps.
In other words, the passwords connected to this address have already been leaked. Perhaps these passwords have since been changed and there’s no risk of anyone hacking into that email. But the Health Ministry has no way to verify this as this is a private Gmail account, and not under the state’s direct and immediate oversight.
An investigation revealed that this email belongs to a ministry official involved in the app’s development. For some reason, she opted to receive all queries sent via the app to her personal email. This is a problem, because these requests can include Israelis’ personal and medical information.
It also attests to extremely problematic practices with regard to information security and privacy. All information sent via the app ought to go to the Health Ministry’s servers, not to a ministry bureaucrat’s personal Gmail account, which she also uses to register for apps like MyFitness and MyHeritage. With apologies to Gabriel Garcia Marquez, this is a chronicle of an information leak foretold.
But this email address, which includes the official’s full name, also seemed familiar to me, and after a few moments’ thought, I remembered why: This same official, who doesn’t identify herself as a Health Ministry employee in her personal profile and even claimed that she didn’t work at the ministry, has written to me on Facebook several times. Among other things, she accused me of being venomous and said my reports should never have been published in the paper, but should have been sent directly to the ministry.
Given the researchers’ findings, the question that must be asked is what we ought to do: Should we rely on the app, or should we download the green passport directly from the ministry’s website and use that instead of the app?
For now, I’d advise against using the app until it’s approved by an external information security expert who was involved in the development process - or is at least privy to its full details. Instead, people should go to the ministry’s website and print out a paper version of the green passport, which has a barcode. It’s better to do so at night or early in the morning, because the site tends to crash during peak hours.
I asked the ministry why all the support questions are sent to that particular official and whether the website has been examined by an outside security expert."